From 71bd9b9cf91743bb61824dcc1eabe8bfb88c131a Mon Sep 17 00:00:00 2001
From: David Malone <dwmalone@FreeBSD.org>
Date: Sun, 9 Dec 2007 15:35:09 +0000
Subject: [PATCH] If we are walking the IPv6 header chain and we hit an
 IPPROTO_NONE header, then don't try to pullup anything, because there is no
 next header if we hit IPPROTO_NONE. Set ulp to a non-NULL value so the search
 for an upper layer header terinates.

This is based on Pekka's diagnosis, but I chose a simpler fix.

PR:		115261
Submitted by:	Pekka Savola <pekkas@netcore.fi>
Reviewed by:	mlaier
MFC after:	2 weeks
---
 sys/netinet/ip_fw2.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 77fc59fc6db8..1c25978afaf4 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -2535,9 +2535,12 @@ do {									\
 				break;
 
 			case IPPROTO_NONE:	/* RFC 2460 */
-				PULLUP_TO(hlen, ulp, struct ip6_ext);
-				/* Packet ends here. if ip6e_len!=0 octets
-				 * must be ignored. */
+				/*
+				 * Packet ends here, and IPv6 header has
+				 * already been pulled up. If ip6e_len!=0
+				 * then octets must be ignored.
+				 */
+				ulp = ip; /* non-NULL to get out of loop. */
 				break;
 
 			case IPPROTO_OSPFIGP: